Healthcare Cybersecurity Weekly Briefing 8-18-2017

In a recent phone interview, Lee Kim, director of privacy and security at HIMSS, said a lack of financial resources can prevent some small practices from hiring IT professionals. That leaves such organizations at a disadvantage, as they don’t know what to prioritize. […] The survey also found 71 percent of respondents’ organizations assign a certain part of their budget to cybersecurity efforts. Of that group, 60 percent said they allocate 3 percent or more of their overall budget to such initiatives.

“Hospitals not only have thousands of computers, phones and laptops: they also have thousands of medical devices connected to the network,” John D. Halamka, M.D. and Chief Information Officer of the Beth Israel Deaconess System, wrote in an article for the PBS NEWSHOUR web site. “IV pumps, X-ray machines, and heart monitors sound like appliances, but in reality they are computers with network connections. Many of these medical devices have little to no security protections because manufacturers never assumed they would be attacked.”

The assaults on healthcare organizations aren’t likely to abate any time soon. “After two years of a steadily increasing cyber threat landscape that resulted in record numbers of patient records compromised, health organizations extorted financially, and hospital operations disrupted very publicly, 2017 is likely to be just as interesting,” predicts an Health IT Security perspective. “Hackers will continue to go after networks, systems, and applications that have been misconfigured or are not maintained properly.”

Medical devices are increasingly interesting to hackers as this life-saving equipment joins the internet of things (IoT) ecosystem. More than one-third (35.6%) of surveyed professionals within that ecosystem said their organizations experienced a cybersecurity incident in the past year. According to a Deloitte & Touche poll, identifying and mitigating the risks of fielded and legacy connected devices presents the industry’s biggest cybersecurity challenge (30.1%).

art of the problem is that cyber criminals are moving faster to exploit vulnerabilities than organizations in healthcare and other industries can adjust their cyber defenses. In the case of WannaCry, the Los Angeles Times reported, “The tactic itself wasn’t innovative or surprising, exploiting a flaw in several versions of Microsoft’s Windows operating system that was well-known and well-publicized. A patch Microsoft issued in March to fix the issue could have taken businesses and organizations just a day or two to test and install.”

Over a Third of Healthcare IoT Organizations Suffered Cyber Incidents in the Past Year

Over 30 percent of respondents said identifying and mitigating the risks of fielded and legacy connected devices presents the industry’s biggest cyber security challenge. “It’s not surprising that managin cyber risks of existing IoT medical devices is the top concern facing manufacturers, providers and regulators,” Deloitte Risk and Financial Advisory partner Russell Jones said in a statement. “Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls.”

“The healthcare and public health sector is charged with keeping patients safe,” officials wrote. “This includes physical and privacy related harms that may stem from a cybersecurity vulnerability or exploit. If exploited, a vulnerability may result in medical device malfunction, disruption of health care services (including treatment interventions), and inappropriate access to patient information, or compromised EHR data integrity. Such outcomes could have a profound impact on patient care and safety.”??

While blockchain is a fairly new concept, a recent Deloitte survey found that 35 percent of healthcare and life sciences respondents plan to deploy blockchain in production within the next calendar year. At its core, a healthcare blockchain is a data repository of patient-related events. Transactions—everything from diagnoses and surgeries, to prescribed drugs and claim history—are permanently recorded, linked and augmented to continuously generate patient-specific insights. A blockchain system has no central authority, which is critical to its success.

Mitigating Medical Device Risks One of Biggest Challenges to IT Pros, Study

Of the 370 professionals surveyed, 30.1 percent reported that identifying and mitigating the risks of fielded and legacy connected devices is one of the medical device industry’s biggest cybersecurity challenges, according to the Deloitte poll. Embedding vulnerability management into the design phase of medical devices was the next biggest challenge with 19.7 percent of respondents choosing it as their biggest challenge. Nearly the same amount, 19.5 percent, said their monitoring and responding to cybersecurity incidents proved difficult.

Some artificial intelligence and machine learning proponents present the technologies as if they were manna from heaven, tools that have the capability to replace humans. And it’s not unusual for mere mention of the term “artificial intelligence” to evoke images of futuristic machines that can think for themselves. The truth is simpler than that. Artificial intelligence and machine learning are tools healthcare executives, technical staff and clinicians can use to enhance operations and improve healthcare.

“Unfortunately, I think HIPAA has focused healthcare organizations too much on data privacy and not enough on data integrity, data loss, disrupted operations and patient safety. You can get your identity back at some point, but not your life,” warns Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC). “Many of the attacks we are seeing, such as WannaCry, are disruptive attacks and are not data theft attacks. Organizations should be driven to focus on enterprise risk management and it should come from the Board and CEO level on down.”

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.